Data Residency & Encryption

Regions

You pick at signup and that's where everything lives — operational tables, time-series, logs. No cross-region replication unless you explicitly turn on a DR replica, which is an Enterprise-only feature.

In transit

Customer to MonPG: TLS 1.3 minimum, HSTS enforced, public CT-logged Let's Encrypt certs that rotate every 60 days. We don't accept TLS 1.2 anywhere on the public surface.

MonPG to your DB (hosted mode): TLS 1.2+ via libpq, configurable per server (require, verify-ca, or verify-full). Most managed PG providers serve verify-full certs out of the box; pick that mode if your provider does.

Internal: mTLS within the Azure VNet. Container Apps' Envoy sidecar enforces it; nothing inside the VNet talks plaintext.

At rest

The PostgreSQL operational store runs on Azure Database for PostgreSQL Flexible Server with Azure-managed encryption keys by default. ClickHouse sits on Azure Disk Encryption with AES-256, and per-tenant Row Policies provide logical isolation on top of disk-level encryption. Azure Key Vault is HSM-backed and that's where wrapping keys for customer DB credentials live. Backups carry the same encryption profile as the primary, plus an additional layer of separate encryption keys at the Azure Blob layer where backup files land.

Customer-managed keys

Enterprise plan only. You provision an Azure Key Vault key in your own subscription, grant our tenant WrapKey/UnwrapKey, and we use that key to wrap your operational store + DB credentials. Revoking access is instant — your data becomes unreadable to us the moment you flip the access policy. We've never had to test this in anger but the path is documented in the Enterprise onboarding doc and we walk you through it during contract.